Consumer Federation of California

Your Cell Phone Records Are For Sale

The calling details of our personal telephone records are for sale, and they are available to anyone willing to pay to know who we’ve been talking to, when, and for how long. There are no effective laws to prevent the sale of personal telephone records. The Consumer Federation of California is working to stop this invasion of our privacy.

In August 2005, the Electronic Privacy Information Center (EPIC), a public interest research center, reported having identified a staggering 40 websites offering to sell anyone our personal telephone calling records and other confidential information. Many of these insidious companies refer to themselves as data brokers, but in fact, they are data poachers, and they have been encroaching on our private lives.

Among the various offers publicized on the web pages of these brokers were the following: “Former United States Federal Agents”; investigations are conducted by “third-party independent search experts” and “[our company] does not know how they do the research or what databases they access”; “This search will enable you to trace a cell phone number back to the owner’s name and address listed on his/her billing statement. By providing us with a cellular telephone number we can run this number through a large national database used by law enforcement, and government agencies to bring back current information about the owner. A detective at our firm will research your order and send the results to your email address after your order is placed. Results available within 1-10 days sent to your email address.”

Is This Lawful?

Telephone services are regulated at both the federal and state level. Congress and the Federal Communications Commission (FCC) establish federal law, and the California Public Utilities Commission (PUC) and the state legislature establish California state regulations provided they are not in conflict with federal law.

In 1996, Congress passed the Telecommunications Act. Included in the Act is a clear and concise definition of what is currently a crucial term, Consumer Proprietary Network Information (CPNI). According to FCC regulations, the sale of Consumer Proprietary Network Information is illegal. CPNI includes all information pertaining to when a customer places a call, the person whom the customer calls, the location from which the call is placed, and the telephone service offerings to which the customer subscribes. The Act further states that no such proprietary (privileged) information shall be used by the carrier for marketing purposes unless the subscriber provides preauthorization of such use.

In addition, the California Public Utilities Code, Section 2891, states that no telephone company is allowed to provide a residential subscriber’s personal calling information (as described above) to another person or company without first obtaining the subscriber’s permission in writing. “Residential subscriber” is a term the PUC uses to describe traditional wire phone lines used by consumers other than businesses. The PUC privacy regulations do not cover cellular phone lines or business customers.

Most websites that sell telephone records obtain them by impersonating the telephone customers whose information they request, or by impersonating a phone company employee or law enforcement officer. “Pretexters” (impersonators) contact the subscribers’ phone company and ask to have information sent to them via email, fax or mailing address (none of which are actually listed on their account).

Phone companies too often comply with a pretexter’s request without independently verifying the identity of the individual inquiring about calling records.

EPIC reports that existing federal CPNI regulations are tailored to protect against telephone companies’ marketing of their subscribers’ personal/financial information. Existing privacy laws do not specifically make reference to prohibitions against third parties who fraudulently obtain and market the telephone records of telephone companies’ subscribers.

The Findings and Responses of Consumer Representatives

In July 2005, EPIC urged the FTC to investigate companies offering to sell phone calling records and other confidential consumer information, stating that such services cannot be provided in compliance with federal law. In late August of 2005, EPIC petitioned the FCC to develop new regulations for the protection of individual calling records. By November of 2005, telephone companies were urging the FCC to take action against companies that sell individuals’ phone records. By January of 2006, the FCC publicly released a statement indicating that “swift action” must be taken to address the problem of the illegal telephone-record sales. According to the FCC enforcement bureau, efforts were being made by the bureau to determine how such companies were going about obtaining customers’ phone records.

When telephone companies were asked by FCC Commissioners about the other companies with which they had shared consumer information, the telephone companies declined to answer, stating that “they consider their sharing practices proprietary information.” Apparently, phone companies value their corporate privacy more than they value the private records of their customers.

The FBI tested the system of one website by providing the personally identifying information of a FBI agent and paying a $160 fee, and, within three hours, received the agent’s phone call records. The Chicago Sun-Times reportedly tested the system by providing $110 and obtained the cell phone records of a reporter.

Current Efforts to Stop the Sale of Phone Calling Records

The Consumer Federation of California is supporting legislation in Sacramento to make providing or obtaining another person’s telephone records without preauthorization a punishable crime. We are also supporting federal legislation that would make the “selling and stealing” of telephone records a criminal offense. We are working with other consumer groups urging the FCC to develop stronger regulations for the protection of consumer proprietary network information (CPNI).

Steps That Consumers Can Take Now to Protect Their Phone Records

The Privacy Rights Clearinghouse recommends that telephone consumers take the following steps to protect their phone records:

Instruct the telephone company to remove “call details” from your bills.

Instruct the telephone company to require the use of a personally selected password/PIN for access to your account.

Inform the telephone company that you do not wish to receive password reminders electronically or in hardcopy.

Instruct the telephone company to deactivate online access to your telephone account.

Do not give out your personal cell phone number to the general public.

Instruct the telephone company to send a text message to your cell phone requesting your confirmation of any records requests.

Tell telephone companies that you would prefer not to provide your
social security number (SSN), and that you would prefer to provide an
alternate source of verification. If you do provide your SSN, ensure
that the company does not use the number as your account number, which
will be printed on your bill.

If you are concerned that someone has been intercepting billing
statements sent to your mailing address, you may want to rent a
post-office box.